The recent news that Promedica accidentally exposed the personal information for nearly 1,200 patients has put the reality of a data breach front and center for many in the Toledo area. After all, if this happened to one of the largest companies in the region, with elaborate processes and sophisticated technology to prevent such situations, how can any company be immune?
Which, of course, is what has the local business community in an uproar. The incident has made it clear that even with substantial preparation, mistakes and oversights happen. In Promedica’s case, emails with personally identifiable private health information were inadvertently sent to a wrong email address. It just as easily could have been a hacker using a fake email to weasel their way into the data system or patient records thrown in the trash instead of a secure container for shredding. We see examples like these all the time at companies right here in Northwest Ohio and Southeast Michigan.
So, one of the takeaways is to ask yourself “What happens if we have a breach?” Because no matter how diligent you are on the front end, a data breach can happen to you.
What Happens After a Data Breach?
According to the Federal Trade Commission, some of the first steps to take in the event of a breach include:
- Move quickly to secure your systems and fix vulnerabilities that may have caused the breach.
- Secure physical areas that might be related to the breach.
- Assemble a team to respond to the breach, which—depending on the size and nature of your company—may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.
- Consult with legal counsel.
- Take all affected equipment offline immediately—but don’t turn any machines off until the forensic experts arrive.
- Update credentials and passwords of authorized users.
- Remove improperly posted information from your websites. Be aware that internet search engines store, or “cache,” information for a period of time, so you may need to contact the search engines to ensure that they don’t archive personal information posted in error.
- Search for your company’s exposed data to make sure that no other websites have saved a copy.
- Interview people who discovered the breach and document your investigation. Make sure your staff knows where to forward information that may aid the investigation.
- Do not destroy evidence.
Who, How and When to Notify About a Data Breach
Because data breaches will happen without warning, many companies give advance thought to the actions they need to take in the event of an incidents. Their considerations focus on two distinct audiences:
Notification to Authorities
Companies that suffer a data breach must notify the proper authorities, which may include local police, the FBI or the FTC, depending on the business or industry served. If the breach involved personal health records, other requirements may apply, such as those covered in the HIPAA Breach Notification Rule.
As you prepare your notification requirements, it is critical to recognize the need to demonstrate to authorities the barriers you have in place to protect your data, such as policies and procedures, locked containers for discarded paper documents, cyber security platforms, and adequate staff education and training. If those things are not in place at your company, or if you have not prepared for how you will prove that they are, you are leaving your company open to significant liability.
You must also report the breach to Federal authorities and authorities in every state where a personally identifiable breach victim resides. This can obviously be a large burden, which is one of the major benefits of a solution like our CSR Readiness Pro program (more on that in a minute).
Notification to Affected Individuals
Of course, the sooner you notify affected individuals that their personal information has been compromised, the sooner they can take steps to protect themselves. Not only is this a moral imperative, but it can also shape perceptions about your company from both customers and the community. In the wake of the Promedica breach, there have been many questions about why it took six weeks from the time the breach was discovered before affected individuals were notified.
This is not to imply that Promedica waited too long. Many factors affect the appropriate timing of notification, including the progress of any investigation into the scope and scale of the breach. The important point is to be geared up to notify individuals as early as the situation allows.
For a good overview of the notification considerations, read the FTC’s Data Breach Response: A Guide for Business.
Tools to Help You Prepare and Respond to a Data Breach
Since a data breach can happen to any company, regardless of size or resources, how effectively you prepare and respond to an incident is critical to the breach’s ultimate impact on your company. For many companies, the CSR Readiness Pro program from AccuShred can help improve that performance.
CSR Readiness® is a risk assessment program delivered via an online portal that will help you identify and assess your potential privacy or security weak points. Once identified, prioritized remediation tasks are recommended to help your organization amend, adjust, and improve your organization’s overall privacy practices. This is proactive preparation is critical for you to mitigate fines and protect your reputation should your company ever face an investigation or legal inquiry related to a breach.
CSR Breach Reporting Service is the reactive solution that takes the worry, hassle and cost out of responding to a data breach. Certified Information Privacy Professionals will handle any and all federal and state notifications mandated for the breach and take care of notifying your customers. The Breach Reporting Service™ is a particularly valuable solution for companies that don’t have in-house legal resources.
While the incident at Promedica was unfortunate, perhaps its local relevance will help other companies in Northwest Ohio and Southeast Michigan recognize the importance of being prepared to respond to a data breach at their organizations.
That would be a silver lining.
If you have questions or want more information about data breach readiness, we would be happy to help. Just contact Nate Segall at AccuShred.